How to check if deserialized exhaustive enum value is legal?

matklad · July 18, 2023, 8:45pm

A puzzle from TigerBeetle that I don’t quite know how to solve.

We have a setup roughly like this:

const Command = enum(u8) {
  reserved = 0,
  ...
  request_blocks = 19,
  // Note: no `_` here.
}

const MessageHeader = extern struct {
    checksum: u128,
    command: Command,
    // A bunch of other stuff
}

When we receive a message over the network, we verify the checksum, then cast raw bytes to MessageHeader, and verify semantic validity of each field. This works for almost all fields, which are integers or enums with _ (so any bitpattern goes).

The only problem is this command: Command exhaustive enum, as, if we cast it first and then validate, we might create a value with illegal bitpatern, and that would be IB (illegal behavior).

One way I can handle this is by making the enum non-exhaustive, but that means that all the code would have to deal with non-exhaustiveness, which feels wrong — it should be enough to check this once at the edge of the system.

Another approach I can think about is to comptime-compute the offset of the field, and poke the memory directly, while it is still []const u8, to verify that the byte is OK. This feels somewhat indirect to me though, and error prone.

Yet another approach is to write a type-level function which would take my MessageHeader type and return a different type with exhaustive enums replaced with their reprs (MessageHeaderRaw). I can then cast bytes to that MessageHeaderRaw (where every bitpattern is valid), check that enums are all-right, and then cast Raw into non-Raw. Conceptually, it feels like the right way to do it, but it needs a fair amount of comptime machinery (a whole new function to clone the struct basically).

Is there some simpler, more direct way to do what I want here?

matklad · July 18, 2023, 9:47pm

I guess there’s a rather precise question about Illegal Behavior hiding here. If I re-interpret memory as a value of a type, and that value turns out to be invalid, do I hit IB immediately when I crate such a value, or only when I use it?

Like, if I have an *[1] u8 and men.bytesAsValue that to *bool, is it an immediate game over if the value actually stored there is 92, or can I cast that bool back to byte and check that a byte is valid?

If UB is postponed, I think it would be correct for me to do the following:

reinterpret bytes as MessageHeader
asBytes header.command
verify the range of byte

AndrewCodeDev · July 18, 2023, 10:19pm

Can you explain your thoughts a bit more on why you think the non-exhaustive approach is not favourable to potentially casting invalid bit patterns to other types? I’m interested in what you think the trade-off is to inspire the need for that technique?

matklad · July 18, 2023, 10:36pm

There’s a bunch of exhaustive matches in the code which I’d rather keep as exhaustive, and things like EnumSet break for non-exhaustive enums.

More philosophically, _ crates ambiguity as to whose job it is to deal with extra variants. If you make enum exhaustive, that becomes clear — the code which re interprets bytes as enum must handle that.

kristoff · July 18, 2023, 10:59pm

Probably there won’t be a final answer to your IB question until we’re going to have a spec, but generally speaking Zig doesn’t have a problem with malformed data existing, just when it gets accessed by operators that expect it to be correct (eg @enumFromInt, @tagName), that said I think the option of checking the byte array directly deserves more consideration since it completely bypasses any question about the language memory model.

const command_bytes = data[@offsetOf(MessageHeader, "command")..][0..@sizeOf(Command)];
const command_id: u32 = @bitCast(command_bytes);
// etc

With just a sprinkle of metaprogramming you can make this entire thing parametric and reusable.

andrewrk · July 19, 2023, 6:52am

How about a switch that lists all the enum values, possibly with ranges? Or if your enum has no holes, how about checking if the value is less than or equal to the last enum tag?

There is std.meta.intToEnum, which looks to me like the implementation could perhaps be enhanced but it seems like it matches the API you want.

matklad · July 20, 2023, 10:14am

We ended up deciding that crashing would actually be the correct, safe behavior in the face of unknown values for this particular enum, and just added a comment:

github.com/tigerbeetle/tigerbeetle

vsr: explicitly crash on unknown commands

tigerbeetle:main ← tigerbeetle:matklad/crash-implicit

opened 06:36PM - 19 Jul 23 UTC

matklad

+7 -0

Racked my brain a bit here, but I think this is the lesser of two weevils! F…irst, I am moderately strongly convinced that a crash is a right behavior here, as ignoring unknown commands might lead us to not doing something we _must_ do, which could be a data loss. It might seem that just dropping a message would be fine, because if we hit this it might mean that a "new" replica (or a "new" client) accidentally joined the cluster, and we don't want to let this bring the whole cluster down. _However_, and alternative scenario is that _we_ are an "old" replica, which joins a newer cluster. So everyone can understand our messages, but we might not understand all of the cluster messages. In this scenario, shutting ourselves down seems safer. It _might_ be a good idea to emit a better error message, and avoid materializing invalid enum values of questionable legality. I tried that in https://github.com/tigerbeetle/tigerbeetle/commit/d02a3eda9c694f2aac0d9b7ce3e4b95f1d1f4d59 by adding `_` and I don't really like the result. It needs a bunch of code for pretty much the same outcome. What's more, having `_` in enums feels scary to me, as it, eg, makes `@tagName` non-total (its CIB to invoke `@tagName` on a non-explicit value of non-exhaustive enum). Alternatively, we can do that on the message bus level by poking at the right byte, but I don't like that either, because: - we also get headers from disk, and I want the logic to be applied there as well - we want to check `version` and `cluster` _before_ we check command, and we don't check `version` in message bus, and check `cluster` only after the problematic cast - message bus is not a part of the vopr